Updated January 1, 1 . AmFam Team
Almost daily, news breaks of another corporate data breach that puts millions of customer’s sensitive data in the hands of hackers. No company is safe from data breaches, as even the most secure corporations have fallen prey to a cyberattack.
Any business that collects personal information from consumers is required to have a security plan to protect the confidentiality and integrity of their information. With that in mind, here are some best practices for data breach prevention, and how to design and implement them so you and your customers can sleep easy knowing your data is safe.
With so many of us dependent on the internet for work, you’ve no doubt heard all about data breaches. But did you know that there are three different major types of breaches?
Here’s a quick overview of each:
Fear not though, as the best way for you to prevent a data breach of your property is to simply heighten your awareness. Never leave anything that holds data outside of your reach.
Sadly, data breaches are nothing new, and they aren’t going anywhere. But not all data collectors are doing so nefariously or for personal gain. In fact, financial institutions, since they collect a wide array of data from their clients, are kept in check thanks to the Safeguard Rule.
When consumers open an account, register to receive information, or purchase a product from a business, it is very likely that they will entrust their personal information as part of the process. If this information is compromised, the consequences can be far-reaching: consumers can be at risk of identity theft, or they can discontinue dealing with the business.
A business that collects personal information from consumers should have a security plan to protect the confidentiality and integrity of the information. This is why the Federal Trade Commission (FTC) has issued the Safeguards Rule as part of the Gramm-Leach-Bliley (GLB) Act. The GLB Act and Safeguards Rule requires financial institutions that collect personal information from their customers to ensure the security and confidentiality of that private information.
The Safeguards Rule applies to businesses, regardless of size, that are "significantly engaged" in providing financial products or services to consumers. This includes:
The Safeguards Rule also applies to financial companies, like credit reporting agencies and ATM operators, that receive information from other financial institutions about their customers. In addition to developing their own safeguards, businesses are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.
The threats to the data security of a business’ information are varied – from computer hackers to disgruntled employees to simple carelessness. While protecting computer systems is an important aspect of information security, it is only part of the process. We’ve gathered key information on how businesses can protect personal information from a data breach, as well as additional resources to help design and implement an information security plan.
Sound information and data security for a business means regular risk assessment, effective coordination and oversight, and prompt response to new developments. Basic steps in information and data security planning for breach prevention include:
When setting up a security program, businesses should consider all the relevant areas of its operations, including employee management and training, information systems like network and software design, information processing and contingencies that include preventing, detecting and responding to a system failure.
Although the security planning process is universal, there’s no “one size fits all” security plan. Every business faces its own special risks. The administrative, technical, and physical safeguards that are appropriate really depend on the size and complexity of the business, the nature and scope of the business, and the sensitivity of the consumer information it keeps.
Computer systems are not a business’ only responsibility related to information security, but they are an important one. With new vulnerabilities announced near weekly, and cybercrime on the rise, many businesses may feel overwhelmed trying to keep current.
Guidance is available from leading security professionals who put together consensus lists of vulnerabilities and defenses so that every organization, regardless of its resources or expertise in information and data security, can take basic steps to reduce its risk of a data breach.
One of these lists is the OWASP Top Ten, a resource that describes common vulnerabilities for web applications and databases, and the most effective ways to address them. Another is the CIS Controls, a set of guidelines and actionable solutions to stopping cyberattacks.
The lists identify the commonly exploited vulnerabilities that pose the greatest risk of harm to information systems. A business can use these lists to help prioritize its efforts so that the most serious threats are tackled first.
When a business implements safeguards, it should consider all areas of its operation, including three areas that are particularly important to information security: employee management and training, information systems and managing system failures. The business should consider implementing the following practices in these areas.
The success or failure of your information security plan depends largely on the employees who implement it. You may want to check references prior to hiring employees who will have access to customer data.
Ask every new employee to sign an agreement to follow your organization's confidentiality and security standards for handling customer data and information.
Train employees to take basic steps to maintain the security, confidentiality, and integrity of customer data, such as:
Instruct and regularly remind all employees of your organization's policy — and the legal requirement — to keep customer data and information secure and confidential. You may want to provide employees with a detailed description of the kind of customer information you handle (name, address, account number, and any other relevant information) and post reminders about their responsibility for security in areas where such information is stored - in file rooms, for example.
Limit access to customer information to employees who have a business reason for seeing it. For example, grant access to customer information files to employees who respond to customer inquiries, but only to the extent they need it to do their job.
Information systems include network and software design, information processing, storage, transmission, retrieval and disposal. The following are suggestions on how to maintain security throughout the life cycle of customer information — from data entry to data disposal.
Consider enacting the following to make sure sensitive data is safely transferred.
Confidential information needs to be disposed of as safely as possible so that cyberthieves aren’t able to access it. Be sure to:
Effective security management includes the prevention, detection, and response to attacks, intrusions, or other system failures. Effective ways to maintain up-to-date appropriate programs and controls include:
In an effort to protect the privacy of consumer information and data to reduce the risk of fraud and identity theft, a federal rule requires businesses to take appropriate measures to dispose of sensitive information derived from consumer reports.
Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule (Opens in a new tab). The Rule requires the proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.”
According to the FTC, the standard for the proper disposal of information derived from a consumer report is flexible, and allows the organizations and individuals covered by the Rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.
As you begin to undertake the tasks above in an effort to secure your business from data breaches, remember to back up your important files to an encrypted, offsite, redundant storage facility. Taking on the task of getting your data secure can feel overwhelming, and it’s here where accomplishing small goals each day will pay off.
While you’re thinking about protecting your data, remember to take time out and review your business policy with an agent. You’re going to find coverage that fits your business’ needs, and feel great knowing that you’re protected from whatever might come your way.
This article is for informational purposes only and is available through different sources. This information does not, and is not intended to, constitute legal advice. You should contact your attorney for legal advice specific to your situation.